Problem creating new certificate for Nextcloud Installation


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: xx-xx.net

I ran this command: sudo /var/scripts/activate-ssl.sh

It produced this output: Stalls after entering my domain name (spinner just spins).

My web server is (include version): This is part of my question.

The operating system my web server runs on is (include version): Ubuntu running in Hyper-v on Windows 8.1 host.

My hosting provider, if applicable, is: This is part of my question.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):?

MY ISSUE:

I’m a complete newbie to these kind of internet issues but am otherwise computer literate.

I have Nextcloud installed in Hyper-V under Windows 8.1 host. Nextcloud is working on local network and is accessible using my domain name, but only via HTTP. I have ports 80 and 443 opened on my router for the Nextcloud IP address. Trying to create an SSL Certificate.

I obtained a domain name to use only for Nextcloud exclusively. I do not have a web site, so nothing is being “hosted” by any service provider.

At the registration service where I bought the domain name, I configured the “A” rules using the wildcard “*” so that my domain name points to my external IP address. I also added an entry for “cloud” so that “cloud.mydomain.net” also points to my external IP address. I added both of these as “trusted domains” in my Nextcloud config file.

When I try to create a certificate using:
sudo /var/scripts/activate-ssl.sh
after answering the questions and entering my domain name (ie, cloud.mydomain.net), it just hangs (indicator spins) an will not progress.

Question: Can I “self-host” my domain (ie, Nextcloud) or do I have to have my domain hosted at a hosting service in order to create the certificate?

Does Nextcloud have the ACME Cert Bot function built in, or do I have to have my domain hosted by a service provider?

Do I need to check with my ISP to make sure they’re allowing this kind of traffic to my computer?

This is very confusion. Not sure if I used correct terms above. After much searching, could not find answers to these questions. Thanks.


#2

Hi,

I’m not sure how the nextcloud ssl.sh works.

This looks fine.

You absolutely can self host the domain (and website)
In order for LE to issue a certificate, your website (domain) need to be publicly accessible (other machine outside your network can view the website)

This is what I’m not sure about.
However, you don’t need a build-in to get tls certificate.
(When I searched on internet, this might help. https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-16-04)

This website provide you with instructions on obtaining tls certificate from LE

It depend on your ISP.
Most ISP block traffic from port 80. (This can be check by visiting your website outside your network)
If you can’t access your website from outside and your ip, port forwarding are done correctly. Your ISP is blocking it.

From this I know you have a misconfiguration at your DNS.
Setup a * can only allow all subdomains have the IP, you still need to specify your root domain. (mc-ms.net can’t be accessed since you don’t setup a IP for it, www.mc-ms.net can be accessed but I can’t see it… might be some issue)

Thank you


#3

Thank you. You supplied some helpful comments. The more I can eliminate the questions the closer I can get to fixing the issue. I’m checking the link you sent and also going to do more research on how I have my domain configured at the register.


#4

You mentioned:

Is the NextCloud system running in Linux or Windows?


#5

Nextcloud is running on Ubuntu 16.04 in a Hyper-v terminal (on a Windows machine). So, running in Ubuntu.


#6

Check:
https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html#enabling-ssl


#7

@scooter2
Please don’t use this if you sure that port 443 is not blocked by your ISP. (At&t claimed they don’t block any regular ports: 80,443 included)

This command is going to provide you an invalid (self-signed) certificate.

Thank you


#8

As I understand it, that reference is to the “self-signed” certificate which isn’t as desirable as the commercial certificate. The self-signed certificates give the user a warning each time where as the commercial certificates (such as from LetsEncrypt) eliminate that warning and are more secure. So that’s what I want to set up.


#9

It is a (working) start.
And you can build from there.

Anything is better than nothing.


#10

I may experiment with that option just to become more familiar with the setup, keeping in mind what stevenzhu noted. Ultimately I want to get the commercial certification working since that is wat’s recommended by the Nextcloud community (but they aren’t s familiar with the LetsEncrypt setup).


#11

I understand the plan.
I’m just trying to help you figure out which piece is broken.


#12

The Nextcloud community is certainly free to recommend whatever it likes, but I’d just like to point out that there is very little difference in browser support and no difference in cryptographic security between Let’s Encrypt certificates and paid CA certificates. It seems plausible that that community could be persuaded that there’s no specific reason to prefer paid certificates.


#13

Perhaps I used incorrect terminology. The Nextcloud community recommends LetsEncrypt which is what I want to get working. I used the term “commercial certification” only to distinguish from “self-certification” which is what’s described in the link provided by rg305. By “commercial certification” I meant to include both LetsEncrypt & paid CA certificates. Maybe there’s a better inclusive term to distinguish those two from “self-certification” (which is what I don’t want).


#14

Hi,

Few questions need to answer:

  1. What software are you using (Apache or Nginx)
  2. Do you have vHost files that you can edit and specify ssl hosts?
  3. Can your website be visited outside your network?

Thank you


#15
  1. Software is Apache2.
  2. Nextcloud uses config.php files that I can edit. Not sure about vHost or what that is.
  3. I don’t have a “web site” other than Nextcloud. I can type my domain name in my browser and it takes me to my Nextcloud installation, but only as http (not https).

The Nextcloud setup has a script to configure the SSL settings:

sudo /var/scripts/activate-ssl.sh

But when I run it, it stalls (hangs indefinitely) after I entering my domain-name.net.

NOTE: I just discovered that, as you previously mentioned, I had my “A” records mis-configured due to using the asterisk ( * ). I have now changed that to use the " @ " symbol. Using MXToolbox:

https://mxtoolbox.com/SuperTool.aspx?action=txt%3Acloud.mc-ms.net&run=toolpage#

I believe my domain is now correctly configured and will try the certification script again. Will update accordingly.


#16

Ports 80 and 443 seem inaccessible from the Internet.

EDIT: Both ports up now.


#17

My server was down for a bit due to thunderstorms. Should be back up now. I don’t know what the “net mask” is, and not sure what ATT does. But, I do think I have the domain part configured correctly now, and ports 80 & 443 open.


#18

OK.
The good news is that https:// does show a login.
The bad news is the cert is self-signed.

We just need to find were it uses that cert and replace that with a valid LE cert.
Towards that end, have you installed certbot or certbot-auto?


#19

Success! I just now created a certificate using LetsEncrypt, successfully.

Now, I’ll look into setting up certbot/cert-bot auto. Thank yous so much for your help, and for that of stevenzhu. You both guided me to the correct solution. I had mis-configured my domain by using " * " instead of " @ " to redirect to my external IP. All seems to be working now (short of adding the certbot solution).


#20

Excellent!